What the Delve situation reveals about vendor risk programs — and what to do about it.
A compliance scandal is making headlines in the security industry. The short version: an anonymous whistleblower investigation alleged that Y Combinator-backed startup Delve — which raised $32 million at a $300 million valuation¹ — generated near-identical SOC 2 reports for hundreds of clients, with auditor conclusions written before any independent review took place.² Delve disputes the most serious allegations.³ TechCrunch has covered the story extensively,⁴ and Insight Partners subsequently scrubbed an investment thesis article about the company from its website.⁵
If you want the full details, the DeepDelver Substack investigation² and Inc.'s coverage⁶ are the right places to start.
What matters for security and risk teams isn't the drama — it's what the situation exposes about how most vendor risk programs work, and where the gaps are.
The real question isn't "did my vendor use Delve?"
It's: would my program have caught this if they had?
If your TPRM process accepts a SOC 2 report as proof of compliance without deeper engagement, the Delve situation is a demonstration of exactly how that trust can be manufactured. The report is a starting point for a conversation — not the end of one.
That framing should inform how you respond right now, and how you build your program going forward.
Is a SOC 2 report sufficient on its own?
It depends on the vendor and the risk.
For lower-risk vendors — those with limited access to sensitive data, not deeply integrated into critical systems — a clean SOC 2 from a credible auditor may be a reasonable basis for proceeding, especially as part of a tiered risk program.
For higher-risk vendors, a SOC 2 report is one signal, not a conclusion. Here's what a report can and can't tell you:
- What it can tell you: What a vendor claims about their controls, and that an auditor attested those claims were substantiated during a defined observation period.
- What it can't tell you: Whether those controls are still operating today. Whether the auditor was truly independent. Whether the controls described actually apply to the data and systems you're sharing. Whether the vendor's security posture has changed since the report was issued.
The Delve situation is the extreme version of the problem. But the underlying gap — document-based compliance accepted without evidence-based verification — is not unique to Delve's clients.
How to assess a vendor whose SOC 2 raises questions
Whether a vendor used Delve or not, the following questions are worth asking for any higher-risk vendor relationship. A legitimate audit process leaves evidence that template generation cannot replicate.
Check the auditor.
Ask for the auditing firm's name and verify their CPA license independently. For Delve specifically: the DeepDelver investigation found that 99%+ of Delve's clients in the most recent six months were audited by either Accorp or Gradient Certification — firms the investigation alleged were Indian certification mills with only nominal U.S. presence.² If either name appears on a vendor's SOC 2, that warrants a follow-up conversation.
Ask what changed during the observation period.
A real SOC 2 Type II covers 3–12 months of live operations. Legitimate reports reflect real events: personnel changes, vendor transitions, security incidents. The DeepDelver investigation found that in all 259 Type II reports analyzed, not a single Delve client had any personnel changes, security incidents, or customer terminations during their observation period² — a statistical impossibility across hundreds of different companies. Ask the vendor directly what changed during theirs.
Ask for the penetration test report.
Trust pages and SOC 2 reports can claim penetration testing occurred. The actual report — methodology, scope, findings, remediation status — is verifiable in ways a checkbox is not. According to the DeepDelver investigation, Delve's trust pages listed penetration testing as complete for clients who had received only an automated vulnerability scan.²
Ask a control question that requires an operational answer.
Request that a vendor describe, in plain terms, how a specific control actually works in their environment — access reviews, endpoint security enforcement, or offboarding procedures, for example. Template compliance produces policy documents. It cannot produce an authentic, specific operational answer that matches those documents.
What to do right now
This week:
- Pull your vendor inventory and flag any SOC 2 reports where Accorp or Gradient Certification is the named auditing firm.
- For high-risk vendors with flagged reports, send a targeted follow-up questionnaire and request a conversation with their security team.
- Brief your security leadership: the Delve situation is the most prominent recent example of compliance theater reaching enterprise vendor portfolios — your program should have a documented response.
This quarter:
- Audit your assessment process: are you accepting documents as proof, or are you verifying claims through active engagement?
- Build a bulk re-assessment workflow for industry-wide events — when a compliance platform is called into question, you need to be able to move quickly across your vendor portfolio.
- Review your own security documentation: does it give your customers transparency they can actually verify, not just a list of controls you claim to have implemented?
How Whistic helps
Whistic is built for both sides of this problem.
For teams assessing vendors, our platform gives you on-demand access to security documentation, questionnaire responses, and audit materials for thousands of vendors in one place — so you can move quickly when situations like this arise. When a vendor's documentation raises questions, our AI helps surface anomalies: overly uniform language, thin operational detail, or gaps between what a policy claims and what questionnaire responses actually confirm. And when an industry event hits, our bulk assessment capability lets you reach your entire vendor portfolio with targeted questions fast.
For vendors building customer trust, Whistic's Trust Center lets you proactively share your actual security documentation — policies, certifications, questionnaire responses, audit reports — so customers have real material to evaluate, not just a claim. When an enterprise asks about your compliance program, you can respond with specifics from a single, maintained source of truth.
If you're working through this right now and want to talk it through — no pitch, no strings — reach out to our team. We've been in the weeds on vendor risk for nearly a decade, and we're happy to help.
Whistic is a third-party risk management platform founded in 2015, used by security teams at companies including Formstack, HireVue, Matterport, Finicity, SingleStore, and Calastone. Whistic's platform is built for both sides of the vendor security relationship — helping enterprises assess their vendors and helping vendors proactively share their security posture.
1. Delve Series A press release, PR Newswire, July 2025: https://www.prnewswire.com/news-releases/delve-raises-32m-series-a-to-build-ai-agents-for-compliance-302510121.html
2. DeepDelver, "Delve — Fake Compliance as a Service — Part I," Substack, March 19, 2026: https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service
3. Delve, "Response to Misleading Claims," delve.co, March 20, 2026: https://delve.co/blog/response-to-misleading-claims
4. Anthony Ha, "Delve accused of misleading customers with 'fake compliance,'" TechCrunch, March 21–22, 2026: https://techcrunch.com/2026/03/22/delve-accused-of-misleading-customers-with-fake-compliance/
5. Marina Temkin, "Insight Partners scrubs investment post about Delve amid 'fake compliance' allegations," TechCrunch, March 23, 2026: https://techcrunch.com/2026/03/23/delve-halts-demos-insight-partners-scrubs-investment-post-amid-fake-compliance-allegations
6. Ben Sherry, "The Delve Scandal: A Y Combinator Darling Just Got Hit With a Bombshell Fraud Accusation," Inc., March 23, 2026: https://www.inc.com/ben-sherry/the-delve-scandal-a-y-combinator-darling-just-got-hit-with-a-bombshell-fraud-accusation/91320652